Rate Limiting
API abuse prevention with in-memory, Redis-based, and sliding window rate limiting implementations, plus per-user tiered limits.
What's Included#
- In-memory fixed window rate limiter for single-instance deployments
- Redis-based rate limiter using Upstash for distributed environments
- Sliding window algorithm for more accurate sustained traffic control
- Token bucket algorithm for burst-tolerant rate limiting
- Per-user and per-IP limiting with tiered plans (free, pro, enterprise)
- Rate limit middleware with per-endpoint configuration
- Standard rate limit response headers (X-RateLimit-Limit, Retry-After)
Usage#
Via CLI#
Loading code block...
Via AI Assistant#
Ask your AI assistant:
- "Use the rate limiting pattern from Bootspring"
- "Apply the Bootspring rate limiting pattern to my project"
Key Considerations#
- Use Redis in production since in-memory rate limiting does not work across multiple instances
- Set stricter limits on auth endpoints (login, register) than general API endpoints
- Provide higher limits for authenticated and premium-tier users
- Always include rate limit headers in responses to help clients manage their request budgets
- Degrade gracefully if Redis is unavailable rather than blocking all requests
Related Patterns#
- Security Headers - HTTP security headers
- API Middleware - Request middleware
- API Rate Limiting - API-focused rate limiting